scratching the Surface...

I recently had a few days to play with a Microsoft Surface tablet...And...well...let's just say it won't be on my Christmas list.

Now, as the hardware goes, it's actually pretty nice. Good, solid feel. I like the metal. I like the kickstand. The magnetic snap-in keyboard-cover combo is pretty slick...but if I were picking one out for myself, I'd get the Type Cover instead of the Touch Cover; I can easily out-type the Touch Cover, and that's just not something I was expecting from a Windows device that appeared to have a regular keyboard. Nice, bright screen, but the aspect ratio is a little weird...fairly responsive touch panel...And the whole thing easily fits in the PadPocket of any of my numerous SCOTTEVEST jackets.

But then we get to the software. And that moves us a bit below the Surface. Now we're really talking about the next iteration of Windows.

You know, in moderation, I like the Metro tiles. Fundamentally, I can appreciate the guiding principles behind the design. And on the Windows phone, I think it works well. But on a larger interface, it can be a bit much. "Glanceable" information only works if you can take everything in with a glance...Look at Ambient Devices for a few good examples.

And hey, Windows 8 does include some good features...The easier migration, the click-to-reset option that preserves user data, deep integration of touch...all great ideas for a desktop operating system. But...I'd have rather seen such features added as utilities on the Windows 7 interface.

Many of us have worked with Windows Operating Systems for years; there are basic things we now expect. The search-and-run box, the program menu, the control panel, the ability to do almost everything from the command prompt...These were great, prominent features...and I know, for the most part, they're kinda in there...But they're buried deep.

Look, fundamentally, when my iPad or my Android isn't "enough" for the task at hand...which, for me, happens frequently...I go to my more powerful Windows system. The simplified interfaces of these consumer devices may be enough for a big population of the users, but there's still a decent crowd of us who want the Windows OS to be the complicated mess of arcane registry keys and hidden command line operations that have helped us draw the lines between casual computer users and hardcore computer geeks for the better part of the Information Age...That's why those of us in the latter category aren't replacing our Windows machines, we're just adding more devices to our arsenals.

When it comes to Windows OS upgrades, I'm historically an early adopter. I'm usually one of the people trying to figure out how to make a game run on the newer version of DirectX, or rebooting 118 times while trying to force in a compatibility shim for a productivity product that won't have a formal fix until months have passed. With Windows 8, unless they release a "Windows 8 Ultimate CompSci Geek" edition, this is shaping up to be the first time in over two decades I'll be holding on to my down-level Windows Operating System until I'm compelled to move by external forces.

-TZ

I think you broke it.

Shadowrun Online: all kinds of interesting complexity

Okay, I admit it.  I have a bit of a Kickstarter addiction.  I love the idea...If you're not familiar and want the quick summary, it's an all-or-nothing social funding system...A project creator gets to both raise money and gauge interest for a proposed project before sinking valuable resources into full production development.

I've personally contributed to about a dozen projects, half of them in the Video Games category...one of which is Shadowrun Online...This one caught my attention before I even looked at the mock-ups or prototype gameplay footage...What interests me here is the unexpected mash-up of business models...and it all started with the Kickstarter-based funding.

Although not unique, it's certainly still an emerging method.  So start with Kickstarter to ramp up your project, and then move on to the game model itself...It's a massive online multiplayer...Plenty of those, sure.  But they're planning to run on PCs, Macs, iPads (v2 or higher), and Android (Galaxy Tab 10.1 or better), in a Web Browser, and as a traditional stand-alone game client, with (softer) plans to support Linux.  To top it off, they're going for the ultimate in cross-platform by mixing media and including a campaign expansion for the Shadowrun 4th Edition tabletop game.

But wait!  There's more...

[dead image removed 2013.may.02]

As if it wasn't already complex enough, they're taking a hybrid approach to the ongoing "persistent" part of the gameplay.  Out of the gate, there's plans for a Free-to-Play model, with cashflow provided through micro-transactions for in-game items or premium subscriptions.  They're also planning for a Buy-to-Play model, where you buy the primary game, plus pay for additional modules with no ongoing subscription costs (similar to Guild Wars). You own the game for as long as the servers are still up & running. On servers that follow that model, you won't be able to use real money to buy items in-game.  The graphic on the side illustrates the differences...

That's biting off quite a bit.

So I hope Cliffhanger Productions gathers enough pledges to fund this project...I'll be really interested to see how this all plays out. Oh...And if you decide to back the project yourself, please, tell 'em TrackZero sent you so I can get the free tabletop miniature.

-TZ

hoi, chummer

favorite malware message o' the day...

Just received this (with a little malware zip hanging on for the ride) and it made me laugh.

[some headers clipped]

Received-SPF: softfail (google.com: best guess record for domain of transitioning EmilyVulich@comcast.com does not designate 74.113.107.202 as permitted sender) client-ip=74.113.107.202;
Return-path: <EmilyVulich@comcast.com>
Received: from [74.113.107.202] by mx1.comcast.com; Tue, 10 Jul 2012 09:54:50 -0500

From: Logistics Express <accountservices@ups.com>
To: me
Subject: You have urgent work
Date: Tue, 10 Jul 2012 09:54:50 -0500

Hi, track

We got today a letter from tax dpeartment they writing that we have not paid all needed taxes. You must urgent clear this shit other way they are freeze our bank accuonts.

I have scanned the letter for you, you will find it in attach. Clear this situtaion and write me back.

Of course, the headers weren't visible...

But seriously, even without the headers, how does this kind of thing ever work?

Even if I ignore the bad grammar & spelling, and expect that most end users wouldn't check the headers & wonder why EmilyVulich@comcast would have sent a message as accountservices@ups through a channel that doesn't conform to the Sender Policy Framework...Okay, I get that there's only a handful of us that even know how to look at things like that...So ignoring all of that...why would I ever believe that an error paying taxes on my part would lead to UPS having their bank accounts frozen?

Good stuff. Thanks, Anonymous Malware Spammer, for the laugh.

-TZ
this guy seems legit.

not-so-secret questions...

You want to know something that drives me nuts?

Password reset questions.  Yeah, I know, I'm not the only one, and it's certainly not an original or new complaint...But hey, it's the first time I've complained about it (in this forum, at any rate).

As anyone in InfoSec can attest, password-based authentication systems are frequently flawed...But when your only interaction with your customers is an impersonal remote connection -- via a seemingly-infinite variety of potential computing devices -- password-based systems are easy to implement & manage.

As an end user with little visibility to the protections implemented by a given website, the only sure way to mitigate risks associated with potential weaknesses is to take matters into your own hands...Use strong passwords...Rotate them on occasion...Don't use the same password for multiple sites.  If you hang out with any InfoSec geeks, I'm sure you've heard this all before.

Analog Password Manager

And unless you have an eidetic memory (or an office that looks like a scene out of Conspiracy Theory), keeping track of your passwords when following such a practice can get rather complicated...So, to my friends & family, I usually recommend a password manager like LastPass (there are others, but I prefer LastPass because it supports a variety of multi-factor options).  And for my coworkers, I usually hand them a page from my notebook (pictured).

So you do everything right. You get yourself a password manager. You set long, meaningless passwords with letters, numbers, symbols...maybe even the occasional umlaut (otherwise known as "röck döts,")...And then one day, you log in to your bank, and they ask you to provide answers to some secret questions, in case you ever need to reset your password.

Seems like a good idea, right?  I mean, I'd hate to lose access to my online account.  Because then I'd have to go interact with a teller face-to-face. And honestly, I don't exactly remember how that works....there was...something on the news...about wearing not nylons on your head...Anyway, not that it matters -- I'm pretty sure the closest physical office for my bank is roughly 1300 miles from my home.

So, yes, it seems like it'd be good to have a backup plan, in case I forget my password.

But...

My....my mother's maiden name?  I'm from a small town; how hard can that be to figure out?  Name of my first pet??  I'd give that info up during a casual conversation without even thinking about the risk.  Father's middle name?  That's gotta be statistically easy to extrapolate.

A decade ago, before social networks became all the rage, there may have been a few questions in the pool that would have felt a little difficult to guess.  But today, there are Facebook apps trying to build out your family tree.  Your favorite book/movie/food/hamburger-topping/band/band-name-that's-also-a-city/breed-of-fish/etc is all potentially published right there at the top of your profile.  Seven-hundred-thirty-six of your closest friends, most of whom wouldn't know your name if you ran into them on the street, are wishing you a happy birthday on your wall.

And we thought password-based systems were weak before this.

Sure, you can take some basic precautions to help your own children...Name your pet something uncommon, perhaps with a hyphen or apostrophe. But nothing stops them unraveling your careful work by posting an update on Twitter, "Taking my new pet, O'Fluffy-the-Kitteh, to Grandma MomsMaidenName's house where she grew up, in Bumbletucky, for my birthday next Tuesday."

My guidance to end users? Don't answer those password reset questions accurately. If the site is "high value," (your bank, or something that could be used to order & ship expensive koala meat), create random strings of text & store your answers in the notes section of your password manager.

And my guidance to companies implementing such practices?  Look, single-factor password systems were weak before...maybe it's time to move forward?  Look at how Google implemented 2-step verification, or look at how LastPass enables multifactor with the Google Authenticator. If you're a retail site, and I forget my password, I don't mind if you lock my transaction history & force me to reset any stored payment methods (I'd actually prefer it).  If you're running a low-sensitivity comment forum, I probably don't need anything more than email confirmation for the reset.  Just...don't further compromise your whole system just to save a couple bucks on customer support....It won't save you anything, in the long run.

-TZ
and +B!ng(0) was his name-o

and now, a word from our author...

Let's kick off this new blog with a bit of an introduction...

First, a bit about my nom de plume...I've been operating online as TrackZero since the Dark Times, when Prodigy & CompuServe were still real, squelching things you could summon through arcane portals, opened by the ancient, wailing incantation of modem-song.  The alias is a reference to the old CHS method for addressing locations on a hard drive. Track0 contained the partition table (layout information for the rest of the disk) and the bootstrap code required to fire up the operating system...So without Track Zero, all the other bits were basically meaningless.

Perhaps, in the very beginning, I thought to use the alias as a veil for my real-life identity...but after a cursory glance at the echos left by simply participating as a consumer of modern conveniences, the illusion of potential anonymity in a tech-centric world was quickly dispelled.

TrackZero is now, for all practical purposes, my always-on persona.  I've done little to firewall the pseudonym from my real-world identity.  I've lived in states that freely published their DMV records (with SSN!), I've gone to schools that blindly published fully-populated, anonymously-accessible CSOPhonebooks, and I've received data-breach notices from more institutions than I care to recount...So if you're a skiddie and you want to show me how fast I can be doxxed, you'll understand why I don't seem shocked or impressed.

Well, that's the name...origin of the brand, if you will.  And the guy behind it?  I'm a hacker, and have been since well before it took on any lawless connotation.  Many had rightly identified me as a geek, at a time when the less-technical local villagers would have considered such a title to be a derogatory term. My peers were often perplexed as to why I would accept --if not happily wear -- such insult so proudly; I like to think it's because I knew what was coming next.

Throughout my career, I've built a broad range of expertise across many Information Technology disciplines. I started as a COBOL programmer, but I quickly moved to infrastructure engineering.  My niche areas include Information Security, Client/End-User, Systems Management, and Identity & Directory services.  Other strengths include Windows Server, messaging, and many aspects of network engineering & operations.  I published or contributed to a handful of technical books back in the days when they still made 'em out of dead trees.  I'm a CISSP, but don't hold that against me...I've known this stuff since well before anyone started peddling certifications.  Sometimes you just need the right acronym to get 'em to open the door.

In Real Life, I can fake a fairly respectable corporate persona.  Enough so that I've been in mid-level management for Fortune 50 companies for the last ten years.  This is the Management Track, as it were, and I can keep him out there for years on end, when I need to.

But...it always feels a bit like holding my breath.

And eventually, I've gotta breathe.

-TZ
whooooooooooooosh

trackzero: rebooted

Well, hey, everybody!  Welcome back!

If you're just tuning in for the first time, thanks for visiting, hope you like what you see...Check back with us* periodically...I'm told it's frequently entertaining, occasionally educational, and often terribly inaccurate...

What's that?  Where have I been?  Ah....yes, that.  It's been a long time.  A little over five years, since I last published anything. Sorry, no-longer-faithful readers (of which, upon this fresh, inaugural post, to my brand-spankin'-new domain name, there are exactly none).  I stopped all professional writing and most personal blogging with my last job change/cross-country relocation...but recently, the trackzero.com domain became available...so I snapped it up, and here I am.

Yep, back on line. An old-school blogger, back blogging 'bout blogable bits, on this, my blog.

Hmm.  Turns out, I still detest the word "blog." (damn you, Peter Merholz)  But it's been over a decade now, and I still haven't been able to convince anyone else to call 'em weasels, so I'll go with the public consensus.

My intent, circa post one, is for this to be my InfoSec/Technology industry professional blog.  I'll stick to the social networks for the occasional personal ramblings.

-TZ
Welcome back my friends, to the show that never ends.